[redhat-lspp] RBAC Roles
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 21 19:41:06 UTC 2005
On Wed, 2005-09-21 at 15:28 -0400, Steve Grubb wrote:
> On Wednesday 21 September 2005 15:17, Stephen Smalley wrote:
> > If you want to do it via the audit subsystem, then if we have the
> > ability to specify auditctl rules based on levels, then I would think
> > you could just specify it using a never rule for the desired level. But
> > you would need to change avc_audit to only queue up audit records on the
> > audit context rather than immediately emitting audit messages itself,
> > and defer the generation for them all until audit_syscall_exit so that
> > the syscall filter could suppress it.
>
> That seems the best way to go. Unless there are any objections, this is how
> we'll do it.
One caveat to keep in mind is that avc_audit also audits some permission
checks that don't occur in syscall context (e.g. network input
processing, SIGIO delivery), so you'd need to distinguish those cases
and still have avc_audit directly emit audit messages for them.
Another issue here is that the audit filters are applied at the end of
the operation, so any filtering based on _object_ level (versus process
level) may be complicated. You don't have the object anymore, and you
have the aggregation of data for all objects accessed during the
syscall. With the patch from Dustin/Dan, you will have the object
security context strings saved in the audit context, but you still have
to pick the "right" one, split out its parts, and compare strings or map
to a value.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list